Security Event Token
Events are delivered in the form of a Security Event Token (SET). A SET contains information about the security event, such as the event type, timestamp, subject, and additional context. It is used for auditing, monitoring, and analyzing security-related activities within a system.
Specifically for SCIM, the SCIM Profile for Security Event Tokens defines how SET tokens in a SCIM environment should be structured.
Retrieve Events
To retrieve events, you can make a GET request to the /events endpoint. This will return a list of recent security events. This endpoints implements (parts of) RFC8936: Poll-Based Security Event Token (SET) Delivery Using HTTP.
The request can include the following parameters:
ack: A list of event identifiers
maxEvents: This is the maximum number of events that the server will return in a single response.
shouldReturnImmediately: This is a boolean value that determines whether the server should return immediately if there are no events to retrieve. This server only supports
true.
Ackknowledge Events
After processing the SETs, the SET Recipient acknowledges received SETs and can poll for more.